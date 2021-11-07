Even today, ATMs are the most used system by citizens to withdraw cash. Suffice it to say that in 2019 the European Central Bank recorded over 11 billion in cash withdrawals and loading / unloading operations. Despite the various technological evolutions over the years, the most common identification method for using these devices is still the pin code (personal identification number), which is not as secure as it may seem.

The study: An algorithm can predict the ATM pin

Is covering the numeric keypad while typing the pin to withdraw money with the ATM is enough to hide from prying eyes? The more precautions you take the better, but they are not enough. Or at least not completely. This is demonstrated by a study by the Spritz group (Security and Privacy Through Zeal) of the University of Padua, Hand me you pin !, which proposes a new malicious attack on ATM counters, which would allow to trace the users’ pin, even those who try to hide freehand typing.

How does it work? According to the study, the attack could take place with a camera and the use of artificial intelligence, preceded by a preparatory phase, in which a replica of the ATM is created and the compartment of potential victims simulated (in the study only right-handed people). The attackers could use the small camera, positioned in the upper part of the ATM, to record the keys that are typed, thanks to the help of a USB interface. The recorded video is then divided into fragments, and then the minutes of the recording are matched to the keys pressed. In this way it would be possible to build a model based on the data. An algorithm capable of predicting the code for a specific branch.

Our attack owes its success to an architecture of deep learning carefully selected that can deduce the pin from the position and movements of the hand typing.

The algorithm would have a surprising ability to guess ATM card pins. Within the limit of three attempts – before the card is blocked and unusable – the study shows how the bad guys can trace the secret code in 30% of the circumstances if it is composed of 5 digits, a percentage that rises to 41% for 4-digit pins .